Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-6

Logs should contain login and login failure details


    • Logs should contain login/logout and login failure details
    • Green
    • To Do
    • OCPPLAN-5714 - Auth and API Improvements
    • Impediment
    • 0% To Do, 0% In Progress, 100% Done

      Summary (PM+lead)

      Configure audit logging to capture login, logout and login failure details

      Motivation (PM+lead)

      TODO(PM): update this

      Customer who needs login, logout and login failure details inside the openshift container platform.
      I have checked for this on my test cluster but the audit logs do not contain any user name specifying login or logout details. For successful logins or logout, on CLI and openshift console as well we can see 'Login successful' or 'Invalid credentials'.

      Expected results: Login, logout and login failures should be captured in audit logging.

      Goals (lead)

      1. Login, logout and login failures should be captured in audit logs

      Non-Goals (lead)

      1. Don't attempt to log login failures in the IdP login flow that goes beyond timeout, if it the information is not available in explicit oauth-server requests (e.g. github password login error).
      2. Logout does not involve oauth-server (but is a simple API object deletion in oauth-apiserver). Hence, the audit log discussed here won't include logout.


      1. Changes to oauth-server to log into /varLog/oauth-server/audit.log on the master node.
      2. Documentation

      Proposal (lead)

      The apiserver pods today have ´/var/log/<kube|oauth|openshift>-apiserver` mounted from the host and create audit files there using the upstream audit event format (JSON lines following https://github.com/kubernetes/apiserver/blob/92392ef22153d75b3645b0ae339f89c12767fb52/pkg/apis/audit/v1/types.go#L72). These events are apiserver specific, but as oauth authentication flow events are also requests, we can use the apiserver event format to log logins, login failures and logouts. Hence, we propose to make oauth-server to create /var/log/oauth-server/audit.log files on the master nodes using that format.

      When the login flow does not finish within a certain time (e.g. 10min), we can artificially create an event to show a login failure in the audit logs.

      User Stories (PM)

      Dependencies (internal and external, lead)

      Previous Work (lead)

      Open questions (lead)

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>


            kostrows@redhat.com Krzysztof Ostrowski
            rhn-support-dahernan David Hernandez Fernandez
            Xingxing Xia Xingxing Xia
            7 Vote for this issue
            37 Start watching this issue